Anne van Kesteren wrote:
> The problem is that new methods (similar to TRACE and CONNECT) could be
> introduced which would require immediate patching to browsers.
Are you sure it's possible to introduce new methods that have similar
problems to TRACE and CONNECT?
New methods must be compatible with existing deployed proxies, which
means they have to be end-to-end don't they? And isn't the security
of end-to-end requests a matter between the client and server
applications?
On a related but different note:
XMLHttpRequest does not allow cross-domain requests.
People are working around this constraint by using the old methods of
IFRAME and fetching Javascript, because it is not (usually) subject to
the same restriction.
That means scripts are able to send GET and POST requests to any
domain, but they have limited control over the method and headers sent
and cannot examine the headers received. And parsing the returned
value and being notified of when it's received are more difficult.
Therefore how about this proposal:
Relax XMLHttpRequest's constraints slightly to allow GET (only)
requests to any domain, with the constraint that in this case it's not
permitted to set arbitrary request headers or read most of the
response headers. (Reading "Content-Type" should be allowed).
-- Jamie